How do I use CVS without typing my password each time?
Christopher Brooks, 9 Aug 2010
Last updated: 12 Jan 2011

To use CVS to update files without typing your password, you will need first need a CVS account, see How do I get a CVS account? and request an individual account. In the comments section be sure to state that you think you have a shared account and that you would like your account recreated as an individual account so that you do not have to type your password.

The steps below are slightly modified from the CVS SSH instructions

SSH (and therefore CVS) can use RSA and Rhosts style authentication to make it so that you can login without typing your password. Using Rhosts authentication alone is insecure, and most CVS servers (this one included) disallow it. RSA can be used with or without Rhosts authentication. Using RSA alone, any user with the appropriate RSA key and passphrase can access the repository. Using RSA and Rhosts restricts repository access to only computers listed in Rhosts that also have the appropriate RSA key.

Note that for RSA with Rhosts authentication to work, each host that you are logging in from needs to be listed in two files. If you are connecting from multiple hosts via dynamic DSL, then each time you connect, you are likely to have a different address, which makes managing the file difficult. There are several possible solutions, one is to try to use wildcards in ~/.ssh/known_hosts and ~/.shosts, the other is to run a script that updates these files automatically. Both solutions are complex and have security issues, so we do not cover them here. It is much simpler to use RSA authentication alone in this case.

RSA authentication

Once your account has been set up, do the following:

1. Create ~/.ssh/id_rsa.pub on the local machine:
   Unix, including probably Mac OS X: If ~/.ssh/id_rsa.pub does not exist, on your local machine, then create it by running ssh-keygen -t rsa
   When prompted for a passphrase, hit return. If you type in a passphrase here, you will be prompted for that passphrase each time.
   Running ssh-keygen will generate the files ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub, which are your private and public encryption keys respectively.
   Windows:
   1. Download and install PuTTY (Download the installer so that you get PuTTYgen.
   2. Invoke PuTTYgen
   3. Move the mouse around to generate randomness :-)
   4. Do not enter a passphrase, if you enter a passphrase here, you will be prompted for that passphrase each time.
   5. Click on "Save Private Key" and save the file to a location to be used by TortoiseCVS (FIXME: need more info about the location here)
   6. Click on "Save Public Key". The public key is what is should be transferred to the cvs or svn server.
   7. FIXME: need info about setting up TortoiseCVS with the PuTTY key.
2. Create ~/.ssh/authorized_keys2 on source: Set the permission of ~/.ssh/id_rsa.pub to 0644 and then copy ~/.ssh/id_rsa.pub over to ~/.ssh/authorized_keys2 with the scp -p flag to preserve permissions.

   chmod 0644 ~/.ssh/id_rsa.pub
   scp -p ~/.ssh/id_rsa.pub yoursourcelogin@source:~/.ssh/authorized_keys2
   

   where yoursourcelogin is the your CVS login on source.eecs.berkeley.edu (which may be different from your website login)
3. From the local machine, test ssh with:

   ssh yoursourcelogin@source.eecs.berkeley.edu cvs
   
   

   to check the set up.

Below is a sample run

cxh@DOPLAP03 ~
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/cygdrive/c/cxh/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /cygdrive/c/cxh/.ssh/id_rsa.
Your public key has been saved in /cygdrive/c/cxh/.ssh/id_rsa.pub.
The key fingerprint is:
03:2a:8a:3b:96:93:6b:74:86:c8:ea:30:e2:c9:11:68 cxh@DOPLAP03

cxh@DOPLAP03 ~
$ chmod 0644 ~/.ssh/id_rsa.pub

cxh@DOPLAP03 ~
$ scp ~/.ssh/id_rsa.pub cxh@source.eecs.berkeley.edu:~/.ssh/authorized_keys2
The authenticity of host 'source (128.32.171.225)' can't be established.
RSA key fingerprint is 74:57:84:9b:ca:b8:44:1d:fa:f0:e3:27:29:ac:19:c6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'source,128.32.171.225' (RSA) to the list of know
n hosts.
cxh@source's password:
id_rsa.pub           100% |*****************************|   222       00:00

cxh@DOPLAP03 ~
$ ssh cxh@source.eecs.berkeley.edu cvs
Usage: cvs [cvs-options] command [command-options-and-arguments]
  where cvs-options are -q, -n, etc.
    (specify --help-options for a list of options)
  where command is add, admin, etc.
    (specify --help-commands for a list of commands
     or --help-synonyms for a list of command synonyms)
  where command-options-and-arguments depend on the specific command
    (specify -H followed by a command name for command-specific help)
  Specify --help to receive this message

The Concurrent Versions System (CVS) is a tool for version control.
For CVS updates and additional information, see
    the CVS home page at http://www.cvshome.org/ or
    Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html

cxh@DOPLAP03 ~
$

The above steps should not prompt you for your password each time you run a cvs command. There are two ways to enable yourself to not type a passphrase each time.

The first is to use only RSA authentication as described above, and give an empty passphrase. Note that this means that if someone steals your laptop and breaks into your account, they will be able to use the ssh command to get on to your Unix account. RSA authentication works with ssh1 and ss2.

The second way is to set up Rhosts RSA authentication, which currently only works with ssh1. In this case, ssh will authenticate your computer instead of you. It is somewhat safer for your computer to log in without a password because the CVS server can determine where your computer is located. Your computer can only login without a password if it also has the correct name and IP. This method is shown below.

Rhosts RSA authentication

These instructions apply to ssh1 clients, like the version of ssh that is currently shipped with cvsssh. For ssh2, see above.

1. Setup ~/.shosts on gigasource: Create a temporary file on your local machine that contains the name of the host you will be logging in from.

   echo "myhost.eecs.berkeley.edu" > /tmp/shosts
   

2. Change the permissions of the file on you local machine so that it is only readable by you. Note that you can't run chmod on the remote machine under rksh, so you need to fix the permissions before you copy the file over.

   chmod 0600 /tmp/shosts
   

3. Copy the file over:

   scp /tmp/shosts gigasource:~/.shosts
   

   Below is a sample session

   ptolemy@myhost 4% echo "myhosts.eecs.berkeley.edu" > /tmp/shosts
   ptolemy@myhost 5% chmod 0600 /tmp/shosts
   ptolemy@myhost 6% scp /tmp/shosts gigasource:~/.shosts
   Enter passphrase for RSA key 'ptolemy@myhost.eecs.berkeley.edu': your passphrase
   
   ^Mshosts                    |          0 KB |   0.0 kB/s | ETA: 00:00:00 | 100%
   
   ptolemy@myhost 7%
   

4. On your Windows machine, check to see if the file c:sshetcssh_host_key.pub exists:
   1. If it does not exist, generate host keys on your Unix machine and copy them over. Note that the ssh-keygen command that is shipped with the Windows CVS SSH package will not work, you should run ssh-keygen on a Unix host. Note that the -N below indicates that your computer will not have a passphrase.

         cd /tmp
         ssh-keygen -b 1024 -f ssh_host_key -N ''
         

      On Windows, you can copy the files with scp. If you use scp here, note that scp does not understand the Windows c: naming convention, it think c: is a machine named 'c'. To copy the file under bash on Windows:

         cd c:/ssh/etc
         scp yourunixmachine:/tmp/ssh_host_key.pub .
         scp yourunixmachine:/tmp/ssh_host_key .
         

      On the Unix machine, remove /tmp/ssh_host_key
   2. If c:/etc/ssh/ssh_host_key.pub exists on your Windows machine, copy it to a temporary file on the Unix machine:

              cd c:/ssh/etc
              scp ssh_host_key.pub yourunixmachine:/tmp
         

5. Set up ~/.ssh/known_hosts on gigasource: On gigasource, ~/.ssh/known_hosts lists hosts that are allowed to connect without a password. Since we can't edit files on gigasource from the restricted shell, we create the file on the local machine and copy it over to gigascale.
   Note that if you are connecting from multiple machines, you will need to add a line to this file for each machine you are connecting from. The easiest way to do this is to use scp to transfer the file to a local machine, edit the file locally and then scp it back to gigasource.
   1. Grab the contents of the copy of ssh_host_key.pub that you either generated or copied over, and create a temporary file
   2. Add the fully qualified domain name of the windows machine to the beginning of the line. You should end up with something like

      maury.eecs.berkeley.edu 1024 17 27348124368712489214987214872164987243
      

      Where the last number is several lines long.
   3. Copy the file:

      scp /tmp/known_hosts source:~/.ssh/known_hosts
      

6. From the local machine, test ssh with:

   ssh -v source cvs
   

   you should not have to type in your password.

Troubleshooting CVS SSH under NT

1. Run

   ssh -v yourunixmachine cvs
   

   and check the output, which should look like:

   ptolemy@carson 8% ssh -v source cvs
   SSH Version 1.2.26 [sparc-sun-solaris2.5.1], protocol version 1.5.
   Standard version.  Does not use RSAREF.
   carson.eecs.berkeley.edu: Reading configuration data /etc/ssh_config
   carson.eecs.berkeley.edu: ssh_connect: getuid 4035 geteuid 0 anon 0
   carson.eecs.berkeley.edu: Connecting to gigasource [128.32.171.225] port 22.
   carson.eecs.berkeley.edu: Allocated local port 1021.
   carson.eecs.berkeley.edu: Connection established.
   carson.eecs.berkeley.edu: Remote protocol version 1.5, remote software version 
   1.2.26
   carson.eecs.berkeley.edu: Waiting for server public key.
   carson.eecs.berkeley.edu: Received server public key (768 bits) and host key (1
   024 bits).
   carson.eecs.berkeley.edu: Host 'gigasource' is known and matches the host key.
   carson.eecs.berkeley.edu: Initializing random; seed file /users/ptolemy/.ssh/ra
   ndom_seed
   carson.eecs.berkeley.edu: Encryption type: idea
   carson.eecs.berkeley.edu: Sent encrypted session key.
   carson.eecs.berkeley.edu: Installing crc compensation attack detector.
   carson.eecs.berkeley.edu: Received encrypted confirmation.
   carson.eecs.berkeley.edu: Trying rhosts or /etc/hosts.equiv with RSA host authe
   ntication.
   carson.eecs.berkeley.edu: Remote: Accepted by .shosts.
   carson.eecs.berkeley.edu: Remote: Your host key cannot be verified: unknown or 
   invalid host key.
   carson.eecs.berkeley.edu: Remote: The host name used to check the key was 'cars
   on.eecs.berkeley.edu'.
   carson.eecs.berkeley.edu: Remote: Try logging back from the server machine with
    the canonical host name using ssh, and then try again.
   carson.eecs.berkeley.edu: Server refused our rhosts authentication or host key.
   carson.eecs.berkeley.edu: No agent.
   carson.eecs.berkeley.edu: Trying RSA authentication with key 'ptolemy@maury.eec
   s.berkeley.edu'
   carson.eecs.berkeley.edu: Received RSA challenge from server.
   carson.eecs.berkeley.edu: Bad passphrase supplied for key file /users/ptolemy/.
   ssh/identity.
   Enter passphrase for RSA key 'ptolemy@maury.eecs.berkeley.edu': your CVS passphrase
   
   carson.eecs.berkeley.edu: Sending response to host key RSA challenge.
   carson.eecs.berkeley.edu: Remote: RSA authentication accepted.
   carson.eecs.berkeley.edu: RSA authentication accepted by server.
   carson.eecs.berkeley.edu: Requesting X11 forwarding with authentication spoofin
   g.
   carson.eecs.berkeley.edu: Sending command: cvs
   carson.eecs.berkeley.edu: Entering interactive session.
   Usage: cvs [cvs-options] command [command-options-and-arguments]
     where cvs-options are -q, -n, etc.
       (specify --help-options for a list of options)
     where command is add, admin, etc.
       (specify --help-commands for a list of commands
        or --help-synonyms for a list of command synonyms)
     where command-options-and-arguments depend on the specific command
       (specify -H followed by a command name for command-specific help)
     Specify --help to receive this message
   
   The Concurrent Versions System (CVS) is a tool for version control.
   For CVS updates and additional information, see
       Cyclic Software at http://www.cyclic.com/ or
       Pascal Molli's CVS site at http://www.loria.fr/~molli/cvs-index.html
   carson.eecs.berkeley.edu: Transferred: stdin 0, stdout 716, stderr 0 bytes in 0
   .1 seconds
   carson.eecs.berkeley.edu: Bytes per second: stdin 0.0, stdout 12490.8, stderr 0
   .0
   carson.eecs.berkeley.edu: Exit status 1
   ptolemy@carson 9%
   

2. Check the value of the CVSROOT environment variable. It should be something like: :ext:myhost.eecs.berkeley.edu:/users/cvs/Repository
3. Be sure that you have created a key on the Unix side and copied the identity* files from Unix to NT
4. Be sure that $HOME is set for your NT account
5. Try using the ssh.exe binary that the $CVS_RSH variable refers to. Below is an example where we rsh over to carson and get the date:

        bash-2.02$ echo $CVS_RSH
        D:Program FilesPtolemyCVS SSHssh.exe
        bash-2.02$ /Program Files/Ptolemy/CVS SSH/ssh carson date
        Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
        ld.so.1: /usr/local/bin/xauth: warning: /usr/4lib/libXmu.so.4.0: has older revision than expected 10
        Thu Feb  4 15:35:06 PST 1999
   

   Below is an example that failed because of an incorrect CVS password, note that the password is prompted for twice:

        bash-2.02$ /Program Files/Ptolemy/CVS SSH/ssh carson date
        Enter passphrase for RSA key 'cxh@myhost.eecs.berkeley.edu':
        Bad passphrase.
        Password:
        Permission denied.
        bash-2.02$
   

6. Verify that you can use ssh to connect between two Unix boxes.
7. Check ssh_config. RSAAuthentication and/or RhostsRSAAuthentication must be turned on. One way to do this locally is by having an /Program Files/Ptolemy/CVS SSH/ssh_config file that looks like:

   Host *
           RSAAuthentication yes
           RhostsRSAAuthentication yes
   

8. Reboot NT.